In your HIPAA documentation? Our HR lady and myself have been hitting it pretty hard this year getting everything ready just in case. How is everyone handling the addressable objects? A form? Verbal explanation?

HIPAA Citations that are "N/A" (only addressable ones) have to be individually noted in section of your HIPAA Risk Analysis report. Along with an exaplanation.

For example, a heading of :" Discussion of HIPAA Addressable Safeguards"

Text should be a table consisting of each citation such as (will enter what I can in this HTML box but should give you the idea:

Clause/Citation Safeguard Rationale Suggested - Alternative

164.310(a)(1):
Facility Access Controls. Maintenance records (Addressable):
Organizations must document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors and locks). IT currently is dividing the maintenance of facilities with the facilities department. Assign the responsibility of maintenance and physical components of the computing facility solely to the facilities department.

This is what is required based on the ONC's "Recommended" HIPAA Methodology (and it isn't HITRUST!) called NIST 800-30.

1st Post

This is NIST HSR toolkit a pretty well thought out Java based questionnaire that covers EVERYTHING (each question actually references where the requirement came from, has a place to attach and reference your policies, etc)! It's about 2200 questions long and I'd imagine it is exactly what an auditor would be using when/if they audit you.

1

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.